Windows Server 2008 – Fine Grained Password Policy Walkthrough

Windows 2008 has lot of new technologies to offer and along with SP2 it has been increased. Branch office caching, Active Directory recycle bin..etc. Among those one of the cool feature is Fine grained password policy. Using this method you can given different set of password polices to selected users or group despite of the default password policy.

This may sound good if you have wish to have different password policy to managers and different password polices to general users and avoid the hassle you face when they forget their complex password. (you know what I mean..right 🙂 Of course you might have been using the password filter or deploy multiple domains to archive this but end of the day those are really frustrating and time consuming methods.

so now you had the taste of the feature let’s get our sleeves up for the work 🙂 To make things easier I am going to built this article based on a scenario based method.

Contoso.com is the default domain of the fictitious company and Neo parker has been the CEO. He don’t like the idea of having a complex password to remember and prefers to have a simple password as his account password. So without breaking the security on the entire domain level you’re going to reduce the password complexity and the minimum of 5 characters to his passwords.

Requirements: your AD domain functional level has to be raised to windows 2008.

First have a look into your existing domain-wide default password policies,

So now we need to create the Password Setting object (PSO). in order to do that we need to open the ADSI edit. I have to warn ADSI edit is not a place to mess around with unless you know exactly what you’re doing!

Go to Start–> Administrative tools –> ADSI edit –> select the default settings to connect to the domain. After that in order to create the PSO browse to Expand to Default Naming content\DC=Contoso,DC=com\CN=System\CN=Password Settings Container\

Right click and select new Object,

After that you have to select msDS-PasswordSettings and click next

After that we are coming to complex part of giving the parameters, this is the place you have to pay attention and provide the correct parameters. For detail step by step you can visit here

First setting being ask is to provide a name for the policy, you can give an fancy name but stick to a one that is meaningful,

Next setting is msDS\PasswordsSettingsPrecedence. Assuming the user is a member of 2 or more groups and having different password polices the number you set here will determine which policy to take procedure. So set the value to 1 to make sure this policy will apply all the time to Neo

Next one is msDS-PasswordReversibleEncryptionEnabled which is self explanatory

Next few option are really self explanatory so I’ll insert the parameter and the value until we come up with another interesting value 🙂

msDS-PasswordHistoryLength (Also self explanatory… you can keep up to 1024) Value = 10

· msDS-MinimumPasswordLength (If only everyone were using pass-phrases instead of passwords)

Value = 5

After that we are being request to provide values for MinimumPasswordAge, MaximumPasswordAge, LockoutObservationWindow, and LockoutDuration.

So let us walk through the first one of this kind, msDS-MinimumPasswordAge

In the above picture I have provided the value of 1 day. First section is days, then hours, minutes and seconds. Next is

msDS-MaximumPasswordAge

I hope rest process will be easy for you as we discuss here. so instead of the screenshots let me provide the values as follows,

msDS-LockoutThreshold

Value = 0

msDS-LockoutObservationWindow

Value =00:00:06:00

msDS-LockoutDuration

Value = 00:00:06:00

Once you complete the last step you will click the Finish button to complete the steps. If you encounter any errors please have a look into the values you have provided.

so now we have provided Neo minimum characters 5 to his password and still enabled the Password complexity parameter and provide less time value for the Lockdown duration 🙂

but still we are not completed because we have to tell the system this PSO need to be apply to Neo. If we double click the msDS-PSOAppliesTo parameter we have the option to provide the particular user’s or Group’s DN.

so now what how to find the DN value? well my friends we have to walk to the Active Directory Users and computers, and enabled the Advances Features,

After that we need to go to the properties of the Neo’s account and select the Attribute Editor which shows the DN of Neo’s user account.

Copy that value and we go back to the ADSI editor CN=System –>CN=Password Settings and under the current PSO paste the values you have copied from Neo’s account,